Coinbase accused of neglecting security, costing users up to $300M annually
Cryptocurrency investigators ZachXBT and tanuki42 accused Coinbase of failing to address security vulnerabilities and scam incidents that have cost investors millions of dollars each month. On Feb. 3, independent crypto investigator ZachXBT and tanuki42 from zeroShadow reported that Coinbase users lost more than $65 million in December 2024 and January 2025 alone. Still, the duo claimed the losses were even higher, as their calculations do not consider inaccessible police complaints. “Our number is likely much lower than the actual amount stolen as our data was limited to my DMs and thefts we discovered onchain, which does not account for Coinbase support tickets and police reports we do not have access to,” ZachXBT said in an X post.
Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look ‘insignificant’
Abandoned AWS S3 buckets could be reused to hijack the global software supply chain in an attack that would make Russia’s “SolarWinds adventures look amateurish and insignificant,” watchTowr Labs security researchers have claimed. The researchers, in a report due out this morning, say they identified about 150 Amazon-hosted cloud storage buckets that were long gone yet applications and websites were still trying to pull software updates and other code from them. If someone were to take over those buckets, they could use them to feed malicious software into people’s devices. These S3 buckets had previously been owned or used by governments, Fortune 500 firms, technology and cybersecurity companies, and major open source projects.
Poisoned Go programming language package lay undetected for 3 years
A security researcher says a backdoor masquerading as a legitimate Go programming language package used by thousands of organizations was left undetected for years. Kirill Boychenko, threat intelligence analyst at Socket Security, blogged today about what seems to be a supply chain attack on the BoltDB database module, which is depended on by more than 8,000 other packages and major organizations such as Shopify and Heroku. BoltDB, the legitimate URL of which is github.com/boltdb/bolt, was created nine years ago but was declared complete by the author a year later and hasn’t been updated since.
Novel SSH backdoor leveraged in Chinese cyberespionage attacks
Chinese cyberespionage operation Evasive Panda, also known as Daggerfly, has leveraged the new ELF/Sshdinjector.A!tr malware suite to take over network appliances’ SSH daemon in intrusions since the middle of November, according to BleepingComputer. Initial network appliance compromise and operation under root privileges will be verified before the deployment of the “libssdh.so” SSH library for data exfiltration and command-and-control communications and the “mainpasteheader” and “selfrecoverheader” binaries for persistence, an investigation from Fortinet FortiGuard Labs revealed.
Billions of Chrome users at risk from new browser-hijacking Syncjacking attack — how to stay safe
Google Chrome is the most popular browser on desktop, which is why it’s also one of the most popular targets for hackers. This makes perfect sense given how much personal and sensitive info we store in our browsers, and now, hackers have come up with a clever new way to steal all that data and even take over our computers. As reported by BleepingComputer, a new attack called ‘Browser Syncjacking’ was recently spotted online by security researchers at the cybersecurity firm SquareX. The attack involves several steps, but what makes it particularly dangerous is that it’s sneaky and requires minimal permissions. There’s very little a Chrome user has to do to fall victim to it.
“Torrenting from a corporate laptop doesn’t feel right”: Meta emails unsealed
Newly unsealed emails allegedly provide the “most damning evidence” yet against Meta in a copyright case raised by book authors alleging that Meta illegally trained its AI models on pirated books. Last month, Meta admitted to torrenting a controversial large dataset known as LibGen, which includes tens of millions of pirated books. But details around the torrenting were murky until yesterday, when Meta’s unredacted emails were made public for the first time. The new evidence showed that Meta torrented “at least 81.7 terabytes of data across multiple shadow libraries through the site Anna’s Archive, including at least 35.7 terabytes of data from Z-Library and LibGen,” the authors’ court filing said. And “Meta also previously torrented 80.6 terabytes of data from LibGen.”
